Legend:

The Buildbot WWW service publishes most of `c['www']` to the web frontend so that it can use that data for configuration. Unfortunately, when hooks are configured, that data may contain secrets for those hooks.

The immediate solution is to omit the `change_hook_dialects` key, preventing this disclosure key - see https://github.com/buildbot/buildbot/pull/1891. The longer-term fix is to whitelist the configuration keys published - see #3374.

12

The immediate solution is to omit the `change_hook_dialects` key, preventing the disclosure of this key - see https://github.com/buildbot/buildbot/pull/1891. The longer-term fix is to whitelist the configuration keys published - see #3374.

11

13

12

Buildbot-0.9.0b5 contains the fix in pull request 1891. All users who have deployed a 0.0.0 beta with web hooks containing secrets are encouraged to update and to rotate their secrets. Packages are available at

14

= Recommended Fix =

15

16

Buildbot-0.9.0b5 contains the fix in pull request 1891. All users who have deployed a 0.9.0 beta with web hooks containing secrets are encouraged to update and to rotate their secrets. Packages are available at